L-CPPA: Lattice-based conditional privacy-preserving authentication scheme for fog computing with 5G-enabled vehicular system

The role that vehicular fog computing based on the Fifth Generation (5G) can play in improving traffic management and motorist safety is growing quickly. The use of wireless technology within a vehicle raises issues of confidentiality and safety. Such concerns are optimal targets for conditional privacy-preserving authentication (CPPA) methods. However, current CPPA-based systems face a challenge when subjected to attacks from quantum computers. Because of the need for security and anti-piracy features in fog computing when using a 5G-enabled vehicle system, the L-CPPA scheme is proposed in this article. Using a fog server, secret keys are generated and transmitted to each registered car via a 5G-Base Station (5G-BS) in the proposed L-CPPA system. In the proposed L-CPPA method, the trusted authority, rather than the vehicle’s Onboard Unit (OBU), stores the vehicle’s master secret data to each fog server. Finally, the computation cost of the suggested L-CPPA system regards message signing, single verification and batch verification is 694.161 ms, 60.118 ms, and 1348.218 ms, respectively. Meanwhile, the communication cost is 7757 bytes.


Introduction
After the World Health Organization indicated an increase in the number of deaths and accidents on the roads, intelligent transportation systems (ITS) became the interest of academic scholars and companies [1][2][3].The Fifth-Generation (5G)-assisted vehicular system with supporting computing based fog is the most promising in the domain of ITS in order to preserve people, regulate the road environment and manage traffic jams.The number of cars in cities is rising rapidly, and drivers' needs are becoming more varied [4][5][6].
Consequently, the 5G mobile networks supporting vehicular communication can provide the necessary high bandwidth and extensive coverage in the present day's applications.It offers a variety of difficulties and potential benefits for road networks.For 5G wireless networks, the maximum data transfer rate is 20 Gb/s, that the medium value is 100 Mb/s [7,8].The essential goal of fog-based computing is not only to boost the system's processing capability but also to lower the system's return pressure and improve the user's service experience by processing data locally at the vehicle terminal rather than sending it to the trusted authority in the network's distant core [9][10][11].
Information overflow due to redundant data may occur in autonomous vehicles because of the necessity for real-time sensing, calculation, and communication.In addition, the limited range of current communication technologies makes it challenging to anticipate traffic conditions outside of a vehicle's line of sight.Autonomous driving conditions have seen the development of digital twin systems to address these concerns [12].Sensitive information about drivers is easily intercepted and altered since the data created by automobiles in motion with servers is carried on public networks.Furthermore, servers are put under extreme strain by the vast quantities of true-time data produced by these cars, equipment, users, passengers, and other social links.As a result, Chen et al. [13] presented a secure authentication technique that makes use of private cloud infrastructures.In addition, they provided a more efficient key transport stage to lessen the burden of computation on servers of cloud.
To cause havoc on the roads, hackers can alter, counterfeit, replay, or otherwise tamper with the messages vehicles communicate with one another via computing-based fog with 5Gassisted vehicular network.Information about the car (its location, the quality of the roads, etc.) is included in these transmissions [14,15].As a result, these communications need to be protected and taken against the third party before the transportation system can be put into action.
Many conditional privacy-preserving authentication (CPPA) techniques, however, have been presented as ways to encrypt and safeguard communications between cars.Methods based on Certificateless-Based, Identity (ID) (Chebyshev Polynomial, Elliptic Curve Cryptography (ECC), and Bilinear Pair Cryptography (BPC)), Group Signature (GS), and Public Key Infrastructure (PKI) are frequently employed in CPPA.Most current systems are constructed with primitives based on standard cryptography, such as Elliptic Curve Diffie-Hellman or Diffie-Hellman, making them vulnerable to quantum attacks.
Consequently, the intent of this research is to propose a lattice-based CPPA method for 5Gassisted vehicular system with fog computing in order to counteract quantum attacks utilising post-quantum cryptography techniques.The following are the major results of our solution work.
• In this paper, we take a look back and examine a sophisticated taxonomy of the existing authentication and conditional privacy-preserving schemes based on the approaches used: Certificateless-Based, ID (Chebyshev Polynomial, ECC and BPC), GS, and PKI.
• This research offers a system model for 5G-assisted vehicular system with fog computing by substituting a fog server for cloud computing throughout the authentication process and the coverage zone of 5G-BS for the limited reach of Road-Side Units (RSUs).
• For 5G-assisted vehicle fog computing, this work offers a lattice-based conditional privacypreserving authentication (L-CPPA) approach to succeed anti-piracy and security features.
• In this research, we analyse the security of the proposed L-CPPA system and show how efficient it is in terms of communicational and computational overheads.
Our remaining tasks are divided into several parts: Section 2 proposes the classification of the related works.Section 3 provides the background of the vehicular network.The solution's six algorithms are proposed in Section 4. The analysis of security and efficient of performance of this paper are provided in Section 5 and 6, respectively.Section 7 shows the conclusion of this work.

Related work
Some existing authentication and privacy-preserving systems suggested in order to secure vehicular networks.As presented in Fig 1, this paper provides a sophisticated taxonomy of systems as follows.

Public Key Infrastructure (PKI)
Several researchers [16][17][18][19][20][21][22][23][24][25][26] have proposed PKI systems to provide authentication and privacypreserving attributes for the vehicular network.During the early 2000s, Raya et al. [16] and Hubaux et al. [17] investigated various privacy and security attributes and issues related to intelligent vehicular.Nevertheless, PKI-based schemes need a massive number of key pairs and the pertinent certificates of identity to be preloaded in each registered vehicle.The main reason for preloading a large number of parameters is to keep the node's identification.Due to a vehicle having to randomly select a key pair to preserve message authenticity and integrity attributes in every communication, the expense of storing vehicles and trusted authority (TA) is high.Meanwhile, it is difficult for the TA to determine a malevolent adversary's true identity.

Group Signature (GS)
As a concept, Group Signature (GS) was proposed for the first time by van Heyst and Chaum [27].Joiner of a domain can sign documents on behalf of the whole without revealing their identities.Many academics [28][29][30][31][32] have developed GS-based methods to deal with the problems that can occur with PKI-based systems.However, due to the rise in the number of banned cars, such a strategy necessitates a massive expansion of the Certification Revocation List (CRL).In addition, there are large communication and computation costs associated with the two pairing-based procedures.

Identity (ID)
Numerous scholars have proposed ID based systems to improve upon the drawbacks of the aforementioned (e.g., PKI and GS methods) and provide extensive protections for vehicular networks.For ID-based schemes, the public key is derived from the node's identifier and the master data is generated by a TA.Schemes are classified according to whether they use bilinear pair cryptography, elliptic curve cryptography, or the Chebyshev polynomial.These methods are discussed in this publication.

Bilinear pair cryptography.
Several researchers [33][34][35][36][37][38][39] have used operations correlating with BPC to verify and sign signatures.BPC is effective in signing and verifying signatures, however, the processes involved are complex and time-consuming, resulting in significant performance efficiency losses.Message verification in the Pournaghi et al. [39] system requires three bilinear pair processes and one hashing on the side of the checker, while message signing only requires one bilinear pair procedure and one hashing of map-based point on the part of the contributing registered vehicle.

Elliptic curve cryptography.
To avoid using time-consuming operations associated with bilinear pair and Point-to-Map hashing function, He et al. [40] constructed an IDfounded system applying lightweight operations associated with ECC for message signature verification.Additionally, several researchers [41][42][43][44][45][46][47] have proposed an authentication schemes based on ECC.Al-Shareeda et al. [45] use ECC without the road-side unit (RSU) to secure communications among vehicles in a 5G-enabled vehicular network.This scheme needs four scalar point multiplication operations to verify a single message shared among vehicles.The scheme of Al-Shareeda et al. [45] suffer from enormous overhead regards communicational and computational costs.

Chebyshev polynomial.
Several scholars [31,48,49] have proposed employing operations based Chebyshev polynomial in terms of semi-group and chaotic to reduce the need for a high number of operations in elliptic curve cryptography.To protect data transmissions in 5G-assisted vehicular system with fog computing, Cui et al. suggested a Chebyshev polynomial-based approach [31].In this setup, fog servers are used as a link in the chain between automobiles and TA.

Certificateless-based
The escrow problem is the ID-based solutions' primary drawback.Therefore, several researchers [50][51][52] have proposed a certificateless-based scheme to secure communication.Mei et al. [52] constructed the overall signature approach with conditional privacy preservation that is certificateless.This scheme utilises the complete aggregation approach to cut down on processing costs before achieving conditional privacy preservation through the usage of a pseudonym mechanism.

Post quantum cryptography
Nevertheless, the majority of existing schemes (including those discussed above) are built using conventional cryptographic primitives like Diffie-Hellman or Elliptic Curve Diffie-Hellman.Such schemes are well known to be vulnerable to quantum attacks.Thus, these schemes [53][54][55] are designed to mitigate quantum attacks.Utilizing lattice, Mukherjee et al. [53] developed a batch-verifiable authentication scheme for vehicular networks.Dharminder et al. [54] suggested an authentication and privacy system based on lattice that provides batch verification of message revocation and multiple signatures.One drawback of such latticebased schemes in [53,54] is that each OBU stores the master data of the TA, opening up a potential attack vector.Li et al. [55] designed a lattice-based scheme to simultaneously provide mutual authentication and privacy-preserving.Li et al. [55] suffered to update the secret key of OBU's vehicle during online mode and are vulnerable to satisfying revocation attribute.
Based on our knowledge, this is the first proposed authentication system with privacy-preserving using lattice cryptography for fog computing with 5G-enabled VANET, which these previous studies are vulnerable to quantum attacks since using traditional cryptography.This work, therefore, offers a lattice-based conditional privacy-preserving authentication (L-CPPA) strategy for 5G-assisted vehicle system with fog computing.To overcome the restriction introduced by [55], the suggested L-CPPA system uses a fog server to produce and transmit a secret key for each enrolled car via 5G-BS.To overcome the restriction in [53,54], the TA in the suggested L-CPPA system stores its master secret data to each fog server rather than the OBU of the vehicle.

Preliminaries
In this section, the proposed system model, mathematical used, and design goal are offered in detail as follows.

Proposed system model
The proposed system paradigm for vehicle networks is laid out in this part, and it makes use of fog servers and 5G technologies.In order to authenticate users, our suggested system uses a fog server instead of cloud computing [31].To counteract the limited range of the Road-Side Unit (RSU) we propose using 5G-BS for our communications [48].The four essential parts of our suggested system model are the 5G-Base Station (5G-BS), Trusted Authority (TA), On-Board Unit (OBU) and the fog server, as illustrated in Fig 2 .The following is an explanation of how each part performs its designated task.
• Trusted Authority (TA): In this system model, the TA serves as a reliable third party and has strong computational capabilities.It is the responsibility of the TA to create system parameters and preload these data into each fog server and vehicle offline.As a result, the TA is the one who can determine each vehicle's true identity via a supporting fog server from the replying communication data.In this paper, we assume the TA component is very strong and reliable from masquerading attacks.
• 5G-Base Station (5G-BS): The 5G-BS is frequently used as a radio apparatus along the side of the road.In our proposed, 5G-BS doesn't do any storage and computation method.
• Fog Server: The fog server is frequently utilised as a wireless device along the 5G-BS.Normally, the fog server communicates with vehicles via the 5G protocol via 5G-BS.The fog server must validate messages sent by vehicles during communication.After that, it either processes those signals locally or transmits them to TA.
• On-Board Unit (OBU): The system model requires that every vehicle have an OBU.Its is a juggle-proof system that prevents data from ever leaking.Additionally, using the DSRC and 5G protocols, the OBU might offer wireless technology among vehicles or a close fog server.

Mathematical used
As in [56], uppercase strong letters represent matrices, while lowercase bold letters represent vectors.A set, such as E, is written in bold italic uppercase.Meanwhile, R and Z indicate the set of real numbers and the set of integers, receptively.

Lattice.
The Euclidean space R s 's discrete additive subgroup is known as an sdimensional lattice ^.It supposes that U 1 , U 2 , ‥, U s are s linearly distinct elements in R s .If any item in the lattice ^can be calculated from U 1 , U 2 , ‥, U s , those linearly distinct elements U 1 , U 2 , ‥, U s are a foundation of ^.Meanwhile, the foundation matrix of that lattice ^is identified as E = (U 1 , U 2 , ‥, U s ).Formally, ^is a set identified as follows: • Challenge of Small Integer Solution (SIS): Given a real number α, a positive integer q, and a random matrix A 2 Z b * a q , the problem of SIS is to resolve a non-zero element B 2 Z a for instance DB = 0 modq with kBk � α.Particularly, for an element c 2 Z s of non-zero.
• Challenge of Inhomogeneous Small Integer Solution (ISIS): The challenge of ISIS is to resolve a vector B 2 Z a for instance DB = c mod q, that kBk � α.
It should be noted that our system model for fog computing with a 5G-based vehicular system relies heavily on the SampleD and TrapGen algorithms.We shall demonstrate the pertinent lemmas regarding these approaches as follows: • Lemma 1 [57]: Supposed a safeguarding element s and two integers q � 3, a > 5nlogq, a random matrix D 2 Z a * b q can be generated with the help of the probabilistic polynomial time technique TrapGen and a foundation � ^(D).Over, the inequality T D || � O(slogq) holds with massive likelihood.
• Lemma 2 [58]: Supposed a safeguard element e, a main element q, a true element δ, a value a � β and duo matrices D inZ a * b q , T D 2 Z a * a q .A lattice ^(D) is defined by the matrix D. T D is the foundation of this cryptography.if d � kT D kwð ffi ffi ffi ffi ffi ffi ffiffi logs p Þ, for any element B 2 Z n q , methods based on SampleD probabilistic polynomials can produce an element at a certain time v 2 Z a q such that D v = B mod q.Meantime, the inequality kvk � d ffi ffi ffi a p ok with negligibleless likelihood.

Distribution of Gaussian.
The Gaussian distribution on R a is identified by the following formula for a item c 2 R a and a ideal value δ > 0 δ is the Gaussian distribution's level deviation, while c is its mean element.
• Discrete Gaussian Distribution: The Gaussian distribution on a lattice ^is denoted by the expression αδ, s(^) = ∑ w2^( w).In order to calculate the lattice ^'s discrete Gaussian distribution, we use the following formulas for the mean number t and the level deviation δ: As an example, when c = 0, the distribution of discrete Gaussian is expressed as D ^;d;t .The following are two guiding principles that completely describe the distribution of discrete Gaussian.
• Lemma 3 [59]: The standard deviation is a positive real value δ.It is possible to draw the following conclusion for any positive value k > 1.
• Lemma 4 [59]: For any element v 2 Z b , the distribution of Gaussian item δ is equal to δ = wðkvk ffi ffi ffi ffi ffi ffi ffi ffi logn p logðN=ðN À 1ÞÞÞ, provided that l, s and N are all positive integers.
• Rejection Sampling Lemma [59]: It supposes where V is a class of Z b , in which the norm of any item is less than T.Meanwhile, d 2 R is the allocation of Gaussian element acting the evenness d ¼ wðT ffi ffi ffi ffi ffi ffi ffi ffi loga p Þ true.h: v !R is a likelihood function of distribution.The statistical gap between the true allocation and the perfect allocation 2 À wðlogaÞ a can be determined by calculating a constant M. Distribution of real:

Design goal
To ensure a secure connection in the fog computing with the 5G-assisted vehicular system, privacy and security are both essential.Some privacy and security attributes of the proposed L-CPPA scheme will be thoroughly explained in the information that follows.
• Message Authentication and Integrity: The recipient can accurately confirm the veracity of messages from cars.Recipients can also quickly identify any changes made to the communications they received.
• Identity Privacy-preserving: All vehicles are unable to deduce the true identity of any vehicle from any communication.Additionally, any attacker is unable to determine a vehicle's true identification.
• Traceability and Revocation: When necessary, the messages provided by this vehicle can be used by the TA to trace and revoke any car's true identity.
• Un-linkability: No attacker can link two distinct data coming from the same legitimate car.
• Resistance to Attacks: Our proposed requirement is to withstand various common attacks in the 5G-enabled vehicular fog computing, such as the MITM assault, the modify assault, the replay assault, the forgery assault, and the quantum assault.

Adversary model
The suggested L-CPPA strategy for fog computing with a 5G-assisted vehicular system has an adversary model, the scope and limitations of which are defined in this part.The following is an adversary model that the proposed L-CPPA technique should be able to counter.
• Modify Assaults: A robust policy against impersonation attacks is one that effectively stops attackers from posing as legitimate users.
• Man-In-The-Middle (MITM) Assaults: To resist MITM, a third party must be not able to capture the message sent between the legal senders and receivers.
• Forgery Assaults: To prevent a forgery assaults, the protocol must be able to expose the attacker's effort to fabricate the sent traffic.
• Replay Assaults: To prevent traffic from being recovered from one session and used in another, the protocol should incorporate a nonce or timestamp into each message.
• Quantum Assaults: To resist quantum attacks, traditional cryptography should not be used in the proposed.

The proposed L-CPPA scheme
In-depth information about the suggested L-CPPA strategy for fog computing with the 5Gassisted vehicular system is presented here.The suggested L-CPPA technique employs both the SampleD [58] and TrapGen [57] crucial algorithms.In addition, the five essential processes of the suggested L-CPPA system are shown in the vehicles hide TID i by hashing the verification code and current timestamp T i together.Table 1 clarifies the notation applied in this work.TID i and AID i refer to true identity and anonymous identity, respectively, which describes in Table 1.

Initialization step
During this procedure, TA releases the system's public and security parameters.Then, TA loads all registered fog servers with the necessary public and security parameters.What follows is a description of that procedure.
• TA picks an item q > 3 of odd, security parameter k, and two positive integers a, b > 5k log q.
• TA performs the TrapGen(1 a , 1 b , q) algorithm to issue the central secret key E 2 Z a�b q and the central public key D 2 Z a�b q , where ED = 0(modq) and |E| � 0(a logq).Additionally, the spread of D is vague from a random matrix.
• TA selects four secure general hash operations as follows; h 0 : f0; 1g • TA sends the parameters of system {k, q, a, b, D, h 0 , h 1 , h 2 , h 3 } to all fog servers.
• To ensure the security of all fog servers, TA preloads its master secret key E.

TA
The trusted authority.

fs j
The fog server.
q An odd prime and module.

a, b
Two positive integers. k The security parameter.

E
The TA's central secret key.

D
The TA's central public key.

AID i
The i-th vehicle's anonymous identification.

PWD i
The password of the OBU.

TID i
The true identification of the car.
T 5 The delay of predefined time.

�
The operation's exclusive-OR.

VC i
The verification code.
The signature of message sent

SK i
The vehicle's private key.

SK enc i
The encryption key for private key SK i .

C i
The hash value.

M i
The message exchange among vehicles.
μ i , w i The random values.

Vehicle registration step
Before a car is allowed to leave the factory, it must go through this registration process with TA.What follows is a description of that procedure.
• Driver sends vehicle's true identity TID i and password PWD i to TA via a hidden method.
• Upon obtaining the vehicle's identifying information, TA initial confirms the car's legitimacy.
• TA select a random number VC i as a verification code which uses during the next phase for the first verification with the fog server.Then TA preloads VC i to the TPD of OBUs.
• TA saves tuples {TID i , PWD i , VC i } on the list of vehicle registration.

Joining step
To begin using the car as an legalized/enrolled node in a 5G-assisted vehicular system with fog computing, the car, the fog server, and the TA all need to carry out this step.The steps involved are outlined below.
• The anonymous pair identifier AID i is calculated as follows: vehicle v i uses verification code (VC i ) and chooses number w i .
• Vehicle v i then transmits items fAID 1 i ; AID 2 i ; T 1 ; s 1 g to fog server fs j via communication zone by 5G-BS, where T i is freshness timestamp and s 1 ¼ h 2 ðAID 1 i kAID 2 i kT 1 Þ. • When receiving tuples fAID 1 i ; AID 2 i ; T 1 ; s 1 g, fog server fs j confirms the tenderness of timestamp in order to avoid replay attacks as the following equation.
• Fog server fs j checks the integrity of the tuple by computing the following equation.
If Eq (7) doesn't hold, fog server fs j rejects for completing joining steps since the attacker has occurred.Otherwise, fog server fs j continues the next steps.
• Fog server fs j sends tuples fAID 1 i ; AID 2 i ; T 1 ; s 1 g to TA in order to check the authenticity of the vehicle.
• When receiving tuples fAID 1 i ; AID 2 i ; T 1 ; s 1 g, TA extracts car's authentic identification by computing • TA checks the authenticity of the car's authentic identification TID i whether matching in the list of vehicle registration or not.If it is not ok, TA transmits illegal node to fog server fs j .Otherwise, TA transmits (legal node , VC i , TID i ) to fog server.
• When receiving illegal node , fog server fs j discards the tuple fAID 1 i ; AID 2 i ; T 1 ; s 1 g and ends the session.Otherwise, fog server fs j continues the next steps.
• Fog server fs j computes the hash number C i = h 0 (TID i ) and selects a true value d � kE 0 * að ffi ffi ffi ffi ffi ffi ffi ffi logb p Þk, where E' indicates the orthogonalization of the matrix E.
• Fog server fs j runs the algorithm of SampleD(D, E, δ, C i ) to produce secret key SK i 2 Z b�k q , where D * SK i = C i (modq).
• Fog server fs j encrypts SK enc i Fog server fs j then sends tuples fSK enc i ; T 2 ; s 2 g to vehicle v i .• When receiving tuples fSK enc i ; T 2 ; s 2 g from fog server fs j , vehicle v i tests newness of timestamp T 2 in order to resist replay attacks.
• Vehicle v i decrypts private key SK enc i by computing Vehicle v i then confirms the originality and integrity of tuples by computing the following equation.
If Eq (8) doesn't hold, vehicle v i rejects for completing joining steps since the attacker has occurred.Otherwise, vehicle v i saves its private key SK i on TPD to continue the next steps.
Note that the way to check the freshness of timestamp T i by computing Eq 9, where T r is a delay of receiving time and T 5 is a delay of predefined time.

Message signing step
In this step, the car v i that wants to relay message M i to the other vehicles of fog servers does so.This procedure is explained below.
• In order to accomplish the unlinkability characteristic, vehicle v i chooses a value μ i and uses the following equation, where T i is the existing device timestamp, to compute the pair anonymous identity AID i .
• Vehicle v i calculates the signature key by generating • Vehicle v i computes hash value signature

Signature verification step
In this step, the recipient (a moving vehicle or a fog server) is validated to ensure the signature it has received is genuine.This method can be used for either single-check or batch-check verification.The following section elaborates on these steps.

Single verification process.
Here, the suggested L-CPPA technique only requires one verification step to ensure that the signature {AID 1 , M 1 , B 1 , T 1 , σ 1 } was sent by the intended sender, vehicle v 1 .What follows is an explanation of how this works.
• After receiving {AID 1 , M 1 , B 1 , T 1 , σ 1 }, the verifier checks first freshness of T 1 , the verifier discards to do the coming step.
• The verifier then tests whether Eq 11 holds.
If the checker is unable to successfully check Eq 11, then the notification M i may be ignored.If σ i is not genuine, the verifier will not accept the letter M i .

Batch verification process.
The suggested L-CPPA system might use batch verification mode to check the authenticity and integrity of many signatures at once, which is an improvement above the efficiency of traditional verification (e.g., a single verification operation).What follows is a description of that procedure.
• The verifier then confrims whether Eq 12 holds or not:

Provable security
This section proves the security model, security analysis and security attributes of the suggested L-CPPA system for a 5G-assisted vehicular system with fog computing.

Security model
This subsection describes the security model of the proposed L-CPPA scheme based on the ability of the adversary and the network model of the 5G-assisted vehicular fog computing.The security model is essentially a safeguard test that adversary A and challenger C are playing.
The following inquiries may be made in order to help A acquire the necessary skills for the security game.
• Oracle (h 0 ): The main idea of this query is the challenger C selects a random matrix X i Z n�k q and adds the tuple (TID i , X i ) into the List h 0 .C returns the matrix X i to A.
• Oracle (h 1 ): Once obtaining the query from A, C selects a random value v j 2 Z n q and puts the tuple (Sk i , v j ) into the List h 1 .C returns the value v j to A.
• Oracle (h 2 ): Once obtaining {AID i , T i } from A, C selects a random value y j 2 0, 1 k as the answer outcome and gives y j to A. C puts the tuple {AID i , T i , y j } into the List h 2 .
• Oracle (h 3 ): In this query, C picks a random item z i 2 Z k q as the response result of the tuple • Oracle (sign): In this query, A sends a message M i to C. The query output is that C computes a tuple {AID i , M i , B i , T i , σ i } and gives this tuple to A.

Security analysis
Theorem 1: In the random oracle model, the proposed L-CPPA technique is safe against an adversary with polynomial time complexity A, as measured by the hardness of SIS/ISIS issues.
Proof: To demonstrate this theorem, C and A engage in what amounts to a security game.In this game's specific procedure, opponent A is assumed to have the ability to make Oracle (h 0 ) queries Qh 0 times, Qh 1 queries Qh 1 times, Qh 2 queries Qh2 times, Qh3 queries Qh 3 times, and Qs queries Qs times.It also assumes that A can compromise our scheme's existential unforgeability with a probability of varepsilon.In addition, it presupposes that TID i is the identity of the vehicle associated with the signature that A wants to fake.Using the knowledge (D), and the power (U), C hopes to defeat ISIS and win the game.In this security game, the challenger C and the adversary A specifically do the below: • Setup: Once obtained the safeguard element n, C produces the central public key D using the system parameters {m, k, q, h 0 , h 1 , h 2 , h 3 }.After that, C sends A the updated settings for B.
• Query: In the security test, the attacker could use five distinct Oracle queries: Oracle (h 0 ) query, Oracle (h 1 ) query, Oracle (h 2 ) query, Oracle (h 3 ) query, and Oracle-based Sign (sign) query.The C also keeps track of the elements of these hash oracle queries in four empty lists: L h 0 , L h 1 , L h 2 , and L h 3 .As a next stage, C will re-run these questions.
• (h 0 ): Once obtainin the query {TID i } from C, A initial confirms if the tuple (TID i , X i ) has existed in the list L h 0 or not.If this element is in L h 0 , C gives X i to the adversary.Otherwise, C random selects a matrix X i Z n�k q and puts the element (TID i , X i ) into the list L h 0 .Finally, C outputs this attacker's query with X i .Especially, C replays this query with U if TID i ¼ TID * i .• (h 1 ): In response to a query Sk i sent from A, C will first locate the entire list L h 1 for (Sk i , v i ).
Whenever this component is present, C will provide v i to A. If not, C will respond with a random vector value, v j 2 Z n q .The item (Sk i , v i ) will then be inputted to the list L h 1 .
• (h 2 ): If {AID i , T i } is an Oracle query conducted by A, then C will determine if it already exists.A is given yj by C from L h 2 if and only if the pair {AID i , T i , y j } has already appeared in that set.If not, C chooses a random vector value from {AID i , T i , y j } and sends it back to A as the value y j .And finally, C appends the item {AID i , T i , y j } to the list L h 2 .
• (h 3 ): After A's query {AID i , T i , B i , M i } returns results, C first chooses whether or not the item in question has been added to the list Lh3.The value zi is returned by C from this query if and only if the element {AID i , T i , B i , M i , z i } exists.In any other case, C picks a random element from z i 2 Z k q and appends the element {AID i , T i , B i , M i , z i } to the list L h 3 .After everything is said and done, z i is forwarded to A.
• (Sign): With Sign process, C does not realize any data around the central private key E and any vehicle TID i 's secret key Sk i .Thus, C can not opportunely answer a sign query from A by running the data signing step.If M i is the oracle (Sign) query made by A, C first random selects σ i and AID 2 i .Then C random selects α i , U i , and B i .After, C can calculates After that, C inputs AID 1 i and AID 2 i .Finally, C gives the tuple {AID i , M i , B i , T i , σ i } to the adversary A as the query output.An adversary A can verify sigmai's authenticity after acquiring the tuple {AID i , M i , B i , T i , σ i } from C. However, you'll need to pick out Event 1 and Event 2 .To execute the oracle (Signing) query, A must first execute the Event1 event of running an oracle h2 query such that α i = h 2 (AID i , T i ).When A runs the oracle h3 query, Event 2 occurs because v.This occurs before the oracle (Signing) query.Challenger C loses the security game if Event1 and Event2 occur.
• Forgery: If C has completed the Setup and Query phases successfully, then A will be chosen to produce a legal signature in this step.The tuple {AID i , M i , B i , T i , σ i } is considered A's signature since we presume that A can violate the empirical unforgeability of our proposal.It has The game was then played again by C with A as the adversary.Likewise, A can create a legal signature at the end of another test.For simplicity, it supposes that the tuple fAID * When the aforementioned two values could be correctly validated, C can figure out the equation shown below: With applying the above values, C could calculate the result of the challenge of ISIS.We select an element λ for instance ða * i À a 0 i Þl ¼ I k�k mod q, where I is the identification matrix.Therefore, we define that Since a * i and a 0 i are both various values and λ is an element of non-zero, C could utilises A to resolve the challenge of ISIS passing.Additionally, the likelihood of C to resolve the challenge of ISIS is: Nevertheless, as is common knowledge, no polynomial-time algorithm can resolve the problem of ISIS.The proposed L-CPPA scheme is safe, as per the notion of proof by contradiction.

Security attributes
This section discusses the security attributes of the suggested L-CPPA system required to achieve as follows.
• Theorem 2: The suggested L-CPPA system for fog computing with a 5G-assisted vehicular system achieves message authenticity and integrity.

Proof:
From Theorem 1, it can conclude which a legal value can not be faked by any attacker based on time based polynomial since the ISIS problem difficulty.Thus, the verifying recipient has capable to verify the authenticity and validity of a legal signature {AID i , M i , B i , T i , σ i } easily by checking Eqs 11 and 12. Therefore, the suggested L-CPPA system can realize message integrity and authenticity.
• Theorem 3: The suggested L-CPPA systemfor fog computing with 5G-assisted vehicular system achieves identification privacy-preserving.Proof: A vehicle's true identification TID i is utilised to create its anonymity-IDs AID i by its OBU.We define that After obtaining this anonymity AID i , an attacker should have the sensitive element Sk i or resolve the another value of h 1 (Sk i ) if it wishes to reveal TID i from AID i .However, there is very little chance that one of these events will occur.As a result, the suggested L-CPPA system can safeguard the anonymity of individual identities within fog computing with a 5Gassisted vehicular system.
• Theorem 4: The suggested L-CPPA system for fog computing with 5G-assisted vehicular system achieves traceability.Proof: In fog computing with a 5G-assisted vehicular system, the message is exchanged among vehicles by using their anonymity-IDs.The anonymity-IDs AID i of a car is issued by its OBU utilising TID i and the relevant secret key Sk i .We know that and If required, TA saves value VC i during the registration list.Then, TA can easily reveal TID from AID 2 i by calculating So the proposed L-CPPA scheme can achieve traceability of a vehicle's authentic identification in fog computing with a 5G-assisted vehicular system.
• Theorem 4: The suggested L-CPPA system for fog computing with 5G-assisted vehicular system achieves un-linkability.
Proof: To create a legal parameters {AID i , M i , B i , T i , σ i } in the fog computing with 5G-assisted vehicular system, a vehicle random selects an element μ i and a matrix A i during running the proposed L-CPPA scheme.We define that Pk Owing to the randomness of μ i and A i , an adversary with a polynomial time limit cannot link any two various anonymous identification or signatures from the same source.As a result, fog computing with the 5G-assisted vehicular system can achieve unlinkability using the proposed L-CPPA scheme.
• Theorem 5: The suggested L-CPPA system for fog computing with a 5G-assisted vehicular system resists lots of attacks, such as the modify assault, the MITM assault, the forgery assault, the replay assault, and the quantum assault.
• Modify Assault: In the suggested L-CPPA system, any alteration on the tuple {AID i , M i , B i , T i , σ i } can be founded by checking Eqs 11 and 12. Thus, the modify assault could be withstood by the suggested L-CPPA scheme.
• MITM Assault: The suggested L-CPPA system can implement message authentication between two vehicles in fog computing with a 5G-assisted vehicular system, according to Theorem 2. As a result, our suggested is resistant to a MITM assault.
• Forgery Assault: The adversary must successfully forge a legitimate signature {AID i , M i , B i , T i , σ i } on a message M i in order to pass as a vehicle.Namely, Eqs 11 and 12 must be achieved.Nevertheless, Due to the difficulty of the ISIS problem, the benefit of the adversary producing such a data tuple is quite small.Consequently, the suggested L-CPPA system can resist a forgery assault.
• Replay Assault: In the suggested L-CPPA scheme, a time-stamp T i is inserted in a value {AID i , M i , B i , T i , σ i }.Once testing this signature, fog servers and other vehicles would test the newness of T i .Therefore, the time-stamp T i achieves the suggested L-CPPA scheme to resist the replay assault.
• Quantum Assault: The unforgeability-based existential of the suggested system is founded on the ISIS/SIS problems, according to the security analysis.However, the ISIS/SIS problems cannot be resolved by the quantum adversary.We would conclude that the L-CPPA scheme under consideration is immune to quantum assault.

Performance evaluation and comparison
This part evaluates and compare the suggested L-CPPA system and two other authentication schemes [53,54] in terms of computation and communication costs.Due to the problem of ISIS forming the basis for the security of the suggested L-CPPA system in 5G-assisted vehicular fog computing, we carefully choose the pertinent parameters to ensure that the ISIS challenge achieves the desired safeguard standard.Our scheme's module q was set to 101 in order to achieve the safeguard standard of 123 bits.Moreover, the master public key's number D i 2 Z a�b q of rows and columns are 100 and 666.More specific, a = 100

PLOS ONE
and b = 666.The secret parameter k for an OBU has 80 columns.In addition, the discrete Gaussian distribution in our procedure has a standard deviation δ of 1.0038.

Computation costs
In this part, we conduct a thorough evaluation of our scheme's computational overhead.This cost of the suggested L-CPPA system and two other works [53,54] is compared.Table 2 lists some notations used and their description and execution in this section.This paper uses an experiment in [55] that uses a cryptographic library called NTL, which is a familiar numbering theory library.On a hardware platform with an Intel(R) Core(TM) i5-10700 CPU operating at 2.9 GHz, 4 GB of RAM, and Windows 10 for operation (64-bit), the suggested L-CPPA system is implemented.
For simplicity, MSP, SVP, and BVP indicate the message signing step, single process, and batch verification process, respectively.In the MSP for a scheme of Mukherjee et al. [53], a component only requires executing a keyed-hash message authentication process and a secure hash function operation.Entire computation cost is T hash + T mac � 0.0227 ms.In SVP, the component requires to run a keyed-hash data authentication process and a hash function operation.Entire computation cost is T hash + T mac � 0.0227ms.As for the BVP, the scheme of Mukherjee et al. [53] does not satisfy the batch verification of numerous data.
In the MSP for the scheme of Dharminder et al. [54], two vector multiplications with integers, two matrix multiplications with vectors, three hash operations, one XOR operation, and two vector additions in Z a q are needed to build a car.Additionally, an OBU requires sampling a vector from Z a q .Entire computation cost is . Some notations used and their description and execution.

T sak vec
The running time takes to complete adding items in Z q .Each of those vectors has a dimension of k.

T sab vec
The running time takes to complete adding items in Z q .Each of those vectors has a dimension of b.

ms T saa vec
The running cost takes to complete adding items in Z q .Each of those vectors has a dimension of a.

ms T ala vec
Suppose that x is a items in Z a q and m 2 Z q .T ala vec is the running cost of m * x mod q. 0.697 ms

T alb vec
Suppose that y is a items in Z n q and and n 2 Z q .T alb vec is the running cost of y * a mod q. 0.074 ms

T ab va
The cost required for the procedure of multiplying a matrix by an element on a mod q to complete.Moreover, this matrix has a rows and b columns.

T ak va
Suppose that D is item in Z a * k q and x is a item in Z k q .T ak va is the running cost of the multiplication Dx mod q. 28 ms q and y is an element in Z k q .T bk va is the running cost of the multiplication Dy mod q.

T mul mat
The running costs of the multiplication of factories on module q is indicated by T mul mat .Additionally, the prime matrix is an item in Z a * b q and the other matrix is an item in Z b * k q .

T hash
The execution cost of a hash function is indicated by this symbol.The running times of h 1 , h 2 , and h 3 in the proposed L-CPPA scheme can be accurately reflected by this execution time, it is important to note.Since the hash function h 0 can be calculated offline, its running time can be disregarded.

T xor
The running cost of XOR process of both elements in Z b q .0.0002 ms

T sp
The duration of selecting a random vector with a discrete Gaussian distribution.15 ms https://doi.org/10.1371/journal.pone.0292690.t002 SVP, to operate on the vehicle, two vector multiplications and an integer addition must be performed in Z a q , a single operation consisting of multiplying a matrix by a vector.Entire computation cost is T ba va þ 2T ala vec þ 2T saa vec � 50:164ms.As for the BVP, the vehicle requires to run single multiplication procedure of an element and matrix, 2N addition procedures of vectors in Z a q , 3N + 1 multiplication procedures of an integer and a vector.Entire computation cost is T ba va þ ð3N þ 1ÞT ala vec þ 2N * T saa vec � 334:797ms.The same method to compute the computation costs of the suggested L-CPPA system in terms of MSP, SVP, and BVP.Table 3 lists the precise computation costs for each of the three authentication and privacy-preserving schemes procedures.

Costs of communication
This section shows the communicational overheads of the proposed L-CPPA scheme and the relevant studies of Mukherjee et al. [53] and Dharminder et al. [54].For simplicity, the size of a timestamp must be assumed to be 4 bytes, and all authentication schemes require the same amount of data to sign messages.Additionally, the other two schemes have the same b, a, k, q system parameters as our scheme.Thus, only the size of the signatures produced by these authentication systems needs to be taken into account.
In the scheme of Mukherjee et al. [53], the node transmits the final signature fSPID k i ; ts; d i g to all participating nodes in the system.The size of ts, SPID k i and the signature are 20 bytes, 20 bytes and 64 bytes, respectively.Additionally, the δ i contains two 20-byte hash amounts.
In scheme of Dharminder et al. [54], the tuples {R i , SK i , T i , AID i } sent to the node.Therefore, the quantity of this signature is nearby 4 + 846 = 6800 bits.The quantity of AID i is 2 * n * log 2 (q-1) = 175 bytes.Additionally, the quantity of R i is nlog 2 ðq1Þ ¼ 87:5 bytes and that of Sk i is mlog 2 ðq1Þ ¼ 4662 bits.
In the proposed L-CPPA scheme, the vehicle transmits the final signature {AID i , M i , B i , T i , σ i } to other vehicles and fog servers.Since AID i ¼ ðAID i should be a random item in Z b q .To top the quantity of AID 2 i , we let all amounts of AID 2 i be q − 1.Likewise, AID 1 i is a random item in Z b q .It could readily compute the major size of AID i , which is 2nlog 2 ðq1Þ ¼ 1400 bits.Since B i = A i � D and A i 2 0, 1 a*k , the top item of B i is q − 1 = 7000 bytes.Since of s i 2 Z b q , the top of this element is q − 1.Thus, the costs of σ i is b * log 2 (q − 1) = 583 bytes.The quantity of the tuples {AID i , M i , B i , T i , σ i } is approximately 7757 bytes.Table 4 tabulates the comparison of the communicational overheads of the suggested L-CPPA system and the other two schemes.